List Archives

[ActiveDir] cannot log w2k3 trusting domain, account in the w2k3 trusted domain

jppmendes — Sun, 05 Jul 2009 10:06:31 GMT

Does anyone have pass trought this cenario?

You cannot log on to a computer in the Windows Server 2003 trusting domain
by using a user account in the Windows Server 2003 trusted domain

Both domains in a trust relationship share a password. This password is
stored in the Trusted Domain Object (TDO) in Active Directory. As part of
the account maintenance process, the trusting domain controller changes the
password that is stored in the TDO every 30 days. If the changed trust
password has not replicated to all domain controllers *in an hour*, some
domain controllers still use the old trust password. Therefore, the
authentication fails.

I have sites links with 180min, so have this prob...

http://support.microsoft.com/kb/941761/en-us

How can I reset the trust password for a two way trust ?

[ActiveDir] cannot log w2k3 trusting domain, account in the w2k3 trusted domain

jppmendes — Sun, 05 Jul 2009 09:46:16 GMT

RE: [ActiveDir] Exchange and Active Directory authentication confusion

bdesmond — Fri, 03 Jul 2009 02:39:59 GMT

Yeah that design makes no sense to me given what I imagine your environment looks like (having spent a lot of time in K-12).

Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 7:20 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

I had a hard time describing what the consultant did. The domain design looks like this:

|Administrative Root domain
|High school domain
|Middle school domain
|Elementary school domain

As opposed to a Parent Administraive Root domain with the other domains being branches of the root domain in a "tree". By forest domain design I mean just how the domains are arranged visually in the forest. The consultant's design does not have child or branch domains at least not visually.

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, July 02, 2009 2:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

That was my first thought too, but the fact that he says "forest domain design" seems to imply that he sees a distinction. Of course, we could just wait til the OP relies.

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, July 02, 2009 3:57 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange and Active Directory authentication confusion

Didn't Dave mean separate forests by "All of the domains are flat rather than parent child hierarchical. The explanation for this was better security." ?
On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:

Agree with Brian.

Security boundary is the forest not the domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Said explanation is 100% wrong.

Thanks,

Brian Desmond

brian@briandesmond.com<mailto:brian@briandesmond.com>

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/

Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

This forest domain design was done before my time by a consultant. It is a very odd design. All of the domains are flat rather than parent child hierarchical. The explanation for this was better security. If anyone compromised one domain it would be more difficult to get access to the other domains. I am somewhat skeptical of this explanation. This is a K-12 environment so there is the possibility of malicious end users.

The next iteration to 2008 server I hope to migrate to the one forest one domain design that seems to be the consensus for better and easier maintenance?

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Have a domain controller for every domain you want authentication to be available for in the locations you want it available.

Alternately, get collapse the six domains down to one, you likely don't really need six domains.

--

O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Thank you for clearing this up for me. Another hole in my knowledge has been patched! Are there any workarounds for this limitation?

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

The security information to authenticate/authorize a user is not replicated forest wide. A user can only be authenticated by a domain controller for the domain they are a member of. So say you have one DC for DomainXYZ and it went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ user could logon.

--

O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Exchange and Active Directory authentication confusion

I am having some confusion about Exchange authentication and Active Directory. We have a single forest with six domains that is Windows server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a server that is not a domain controller. Two of the domains in our forest are remote sites connected via a T1 WAN link.

Recently the T1 link to one of our sites went down. As a result no one at the remote site could log into the Exchange server. This is understandable when the employees are on the site with the dead T1 connection. What confuses me is that none of the employees at this site could login to e-mail remotely via Outlook Web Access. Now if user accounts are replicated forest-wide? Then why could the users at the disconnected remote site not log into OWA via another domain controller (which authenticates users for the unreacheable remote server) not disconnected due to a out of service T1 WAN link?

RE: [ActiveDir] Exchange and Active Directory authentication confusion

ddriggs — Fri, 03 Jul 2009 01:20:34 GMT

I had a hard time describing what the consultant did. The domain design
looks like this:

|Administrative Root domain

|High school domain

|Middle school domain

|Elementary school domain

As opposed to a Parent Administraive Root domain with the other domains
being branches of the root domain in a "tree". By forest domain design I
mean just how the domains are arranged visually in the forest. The
consultant's design does not have child or branch domains at least not
visually.

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Crawford, Scott
Sent: Thursday, July 02, 2009 2:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

That was my first thought too, but the fact that he says "forest domain
design" seems to imply that he sees a distinction. Of course, we could just
wait til the OP relies.

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, July 02, 2009 3:57 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange and Active Directory authentication
confusion

Didn't Dave mean separate forests by "All of the domains are flat rather
than parent child hierarchical. The explanation for this was better
security." ?

On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE) <pbergson@allete.com>
wrote:

Agree with Brian.

Security boundary is the forest not the domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

Said explanation is 100% wrong.

Thanks,

Brian Desmond

brian@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - <http://www.briandesmond.com/ad4/>
http://www.briandesmond.com/ad4/

Microsoft MVP - <https://mvp.support.microsoft.com/profile/Brian>
https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

This forest domain design was done before my time by a consultant. It is a
very odd design. All of the domains are flat rather than parent child
hierarchical. The explanation for this was better security. If anyone
compromised one domain it would be more difficult to get access to the other
domains. I am somewhat skeptical of this explanation. This is a K-12
environment so there is the possibility of malicious end users.

The next iteration to 2008 server I hope to migrate to the one forest one
domain design that seems to be the consensus for better and easier
maintenance?

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

Have a domain controller for every domain you want authentication to be
available for in the locations you want it available.

Alternately, get collapse the six domains down to one, you likely don't
really need six domains.

--

O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm

_____

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

Thank you for clearing this up for me. Another hole in my knowledge has
been patched! Are there any workarounds for this limitation?

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

The security information to authenticate/authorize a user is not replicated
forest wide. A user can only be authenticated by a domain controller for the
domain they are a member of. So say you have one DC for DomainXYZ and it
went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
user could logon.

--

O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm

_____

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion

I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows server
2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
that is not a domain controller. Two of the domains in our forest are remote
sites connected via a T1 WAN link.

Recently the T1 link to one of our sites went down. As a result no one at
the remote site could log into the Exchange server. This is understandable
when the employees are on the site with the dead T1 connection. What
confuses me is that none of the employees at this site could login to e-mail
remotely via Outlook Web Access. Now if user accounts are replicated
forest-wide? Then why could the users at the disconnected remote site not
log into OWA via another domain controller (which authenticates users for
the unreacheable remote server) not disconnected due to a out of service T1
WAN link?

RE: [ActiveDir] Exchange and Active Directory authentication confusion

CrawfordS — Thu, 02 Jul 2009 22:19:26 GMT

That was my first thought too, but the fact that he says "forest domain
design" seems to imply that he sees a distinction. Of course, we could
just wait til the OP relies.

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, July 02, 2009 3:57 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange and Active Directory authentication
confusion

Didn't Dave mean separate forests by "All of the domains are flat rather
than parent child hierarchical. The explanation for this was better
security." ?

On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE)
<pbergson@allete.com> wrote:

Agree with Brian.

Security boundary is the forest not the domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

Said explanation is 100% wrong.

Thanks,

Brian Desmond

brian@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
<http://www.briandesmond.com/ad4/>

Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
<https://mvp.support.microsoft.com/profile/Brian>

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

This forest domain design was done before my time by a consultant. It
is a very odd design. All of the domains are flat rather than parent
child hierarchical. The explanation for this was better security. If
anyone compromised one domain it would be more difficult to get access
to the other domains. I am somewhat skeptical of this explanation. This
is a K-12 environment so there is the possibility of malicious end
users.

The next iteration to 2008 server I hope to migrate to the one forest
one domain design that seems to be the consensus for better and easier
maintenance?

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

Have a domain controller for every domain you want authentication to be
available for in the locations you want it available.

Alternately, get collapse the six domains down to one, you likely don't
really need six domains.

--

O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

Thank you for clearing this up for me. Another hole in my knowledge
has been patched! Are there any workarounds for this limitation?

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication
confusion

The security information to authenticate/authorize a user is not
replicated forest wide. A user can only be authenticated by a domain
controller for the domain they are a member of. So say you have one DC
for DomainXYZ and it went down, even though you have 100 DCs for
DomainPDQ not a single DomainXYZ user could logon.

--

O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication
confusion

I am having some confusion about Exchange authentication and Active
Directory. We have a single forest with six domains that is Windows
server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a
server that is not a domain controller. Two of the domains in our forest
are remote sites connected via a T1 WAN link.

Recently the T1 link to one of our sites went down. As a result no one
at the remote site could log into the Exchange server. This is
understandable when the employees are on the site with the dead T1
connection. What confuses me is that none of the employees at this site
could login to e-mail remotely via Outlook Web Access. Now if user
accounts are replicated forest-wide? Then why could the users at the
disconnected remote site not log into OWA via another domain controller
(which authenticates users for the unreacheable remote server) not
disconnected due to a out of service T1 WAN link?

RE: [ActiveDir] Exchange and Active Directory authentication confusion

pbbergs — Thu, 02 Jul 2009 22:15:22 GMT

I took it as a single forest with disjoint name space for each domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 4:00 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

I just got the impression he as 6 domain trees in his forest based on that note and the original post.

Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, July 02, 2009 3:57 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange and Active Directory authentication confusion

Didn't Dave mean separate forests by "All of the domains are flat rather than parent child hierarchical. The explanation for this was better security." ?
On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:

Agree with Brian.

Security boundary is the forest not the domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Said explanation is 100% wrong.

Thanks,

Brian Desmond

brian@briandesmond.com<mailto:brian@briandesmond.com>

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/

Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

This forest domain design was done before my time by a consultant. It is a very odd design. All of the domains are flat rather than parent child hierarchical. The explanation for this was better security. If anyone compromised one domain it would be more difficult to get access to the other domains. I am somewhat skeptical of this explanation. This is a K-12 environment so there is the possibility of malicious end users.

The next iteration to 2008 server I hope to migrate to the one forest one domain design that seems to be the consensus for better and easier maintenance?

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Have a domain controller for every domain you want authentication to be available for in the locations you want it available.

Alternately, get collapse the six domains down to one, you likely don't really need six domains.

--

O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Thank you for clearing this up for me. Another hole in my knowledge has been patched! Are there any workarounds for this limitation?

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

The security information to authenticate/authorize a user is not replicated forest wide. A user can only be authenticated by a domain controller for the domain they are a member of. So say you have one DC for DomainXYZ and it went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ user could logon.

--

O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Exchange and Active Directory authentication confusion

I am having some confusion about Exchange authentication and Active Directory. We have a single forest with six domains that is Windows server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a server that is not a domain controller. Two of the domains in our forest are remote sites connected via a T1 WAN link.

Recently the T1 link to one of our sites went down. As a result no one at the remote site could log into the Exchange server. This is understandable when the employees are on the site with the dead T1 connection. What confuses me is that none of the employees at this site could login to e-mail remotely via Outlook Web Access. Now if user accounts are replicated forest-wide? Then why could the users at the disconnected remote site not log into OWA via another domain controller (which authenticates users for the unreacheable remote server) not disconnected due to a out of service T1 WAN link?

RE: [ActiveDir] Exchange and Active Directory authentication confusion

bdesmond — Thu, 02 Jul 2009 22:13:21 GMT

Actually probably seven as you would have ended up needing an Exchange resource forest probably.

Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 4:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

So the consultant really needed to create gulp six different forests? I would never do that.

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Paul Bergson (ALLETE)
Sent: Thursday, July 02, 2009 1:48 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Agree with Brian.

Security boundary is the forest not the domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Said explanation is 100% wrong.

Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

This forest domain design was done before my time by a consultant. It is a very odd design. All of the domains are flat rather than parent child hierarchical. The explanation for this was better security. If anyone compromised one domain it would be more difficult to get access to the other domains. I am somewhat skeptical of this explanation. This is a K-12 environment so there is the possibility of malicious end users.
The next iteration to 2008 server I hope to migrate to the one forest one domain design that seems to be the consensus for better and easier maintenance?

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Have a domain controller for every domain you want authentication to be available for in the locations you want it available.

Alternately, get collapse the six domains down to one, you likely don't really need six domains.

--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
Thank you for clearing this up for me. Another hole in my knowledge has been patched! Are there any workarounds for this limitation?

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

The security information to authenticate/authorize a user is not replicated forest wide. A user can only be authenticated by a domain controller for the domain they are a member of. So say you have one DC for DomainXYZ and it went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ user could logon.

--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active Directory. We have a single forest with six domains that is Windows server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a server that is not a domain controller. Two of the domains in our forest are remote sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at the remote site could log into the Exchange server. This is understandable when the employees are on the site with the dead T1 connection. What confuses me is that none of the employees at this site could login to e-mail remotely via Outlook Web Access. Now if user accounts are replicated forest-wide? Then why could the users at the disconnected remote site not log into OWA via another domain controller (which authenticates users for the unreacheable remote server) not disconnected due to a out of service T1 WAN link?

RE: [ActiveDir] Exchange and Active Directory authentication confusion

bdesmond — Thu, 02 Jul 2009 22:01:08 GMT

I just got the impression he as 6 domain trees in his forest based on that note and the original post.

Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Rick Sheikh
Sent: Thursday, July 02, 2009 3:57 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Exchange and Active Directory authentication confusion

Didn't Dave mean separate forests by "All of the domains are flat rather than parent child hierarchical. The explanation for this was better security." ?

On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:

Agree with Brian.

Security boundary is the forest not the domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Said explanation is 100% wrong.

Thanks,

Brian Desmond

brian@briandesmond.com<mailto:brian@briandesmond.com>

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/

Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

This forest domain design was done before my time by a consultant. It is a very odd design. All of the domains are flat rather than parent child hierarchical. The explanation for this was better security. If anyone compromised one domain it would be more difficult to get access to the other domains. I am somewhat skeptical of this explanation. This is a K-12 environment so there is the possibility of malicious end users.

The next iteration to 2008 server I hope to migrate to the one forest one domain design that seems to be the consensus for better and easier maintenance?

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Have a domain controller for every domain you want authentication to be available for in the locations you want it available.

Alternately, get collapse the six domains down to one, you likely don't really need six domains.

--

O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Thank you for clearing this up for me. Another hole in my knowledge has been patched! Are there any workarounds for this limitation?

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

The security information to authenticate/authorize a user is not replicated forest wide. A user can only be authenticated by a domain controller for the domain they are a member of. So say you have one DC for DomainXYZ and it went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ user could logon.

--

O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________

From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org<mailto:ActiveDir@mail.activedir.org>
Subject: [ActiveDir] Exchange and Active Directory authentication confusion

I am having some confusion about Exchange authentication and Active Directory. We have a single forest with six domains that is Windows server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a server that is not a domain controller. Two of the domains in our forest are remote sites connected via a T1 WAN link.

Recently the T1 link to one of our sites went down. As a result no one at the remote site could log into the Exchange server. This is understandable when the employees are on the site with the dead T1 connection. What confuses me is that none of the employees at this site could login to e-mail remotely via Outlook Web Access. Now if user accounts are replicated forest-wide? Then why could the users at the disconnected remote site not log into OWA via another domain controller (which authenticates users for the unreacheable remote server) not disconnected due to a out of service T1 WAN link?

Re: [ActiveDir] Exchange and Active Directory authentication confusion

scharique — Thu, 02 Jul 2009 21:59:05 GMT

Didn't Dave mean separate forests by "All of the domains are flat rather
than parent child hierarchical. The explanation for this was better
security." ?

On Thu, Jul 2, 2009 at 3:48 PM, Paul Bergson (ALLETE)
<pbergson@allete.com>wrote:

> Agree with Brian.
>
>
>
> Security boundary is the forest not the domain.
>
>
>
>
>
>
>
> Thanks
>
>
>
> Paul
>
>
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Brian Desmond
> *Sent:* Thursday, July 02, 2009 3:17 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Exchange and Active Directory authentication
> confusion
>
>
>
> *Said explanation is 100% wrong. *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c - 312.731.3132*
>
> * *
>
> *Active Directory, 4th Ed - http://www.briandesmond.com/ad4/*
>
> *Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Dave
> *Sent:* Thursday, July 02, 2009 3:13 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Exchange and Active Directory authentication
> confusion
>
>
>
> This forest domain design was done before my time by a consultant. It is
> a very odd design. All of the domains are flat rather than parent child
> hierarchical. The explanation for this was better security. If anyone
> compromised one domain it would be more difficult to get access to the other
> domains. I am somewhat skeptical of this explanation. This is a K-12
> environment so there is the possibility of malicious end users.
>
> The next iteration to 2008 server I hope to migrate to the one forest one
> domain design that seems to be the consensus for better and easier
> maintenance?
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* Thursday, July 02, 2009 5:26 AM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Exchange and Active Directory authentication
> confusion
>
>
>
> Have a domain controller for every domain you want authentication to be
> available for in the locations you want it available.
>
>
>
> Alternately, get collapse the six domains down to one, you likely don't
> really need six domains.
>
>
>
>
>
> --
>
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Dave
> *Sent:* Wednesday, July 01, 2009 6:31 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Exchange and Active Directory authentication
> confusion
>
> Thank you for clearing this up for me. Another hole in my knowledge has
> been patched! Are there any workarounds for this limitation?
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *joe
> *Sent:* Wednesday, July 01, 2009 3:03 PM
> *To:* activedir@mail.activedir.org
> *Subject:* RE: [ActiveDir] Exchange and Active Directory authentication
> confusion
>
>
>
> The security information to authenticate/authorize a user is not replicated
> forest wide. A user can only be authenticated by a domain controller for the
> domain they are a member of. So say you have one DC for DomainXYZ and it
> went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ
> user could logon.
>
>
>
>
>
> --
>
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
>
>
>
>
>
> ------------------------------
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Dave
> *Sent:* Wednesday, July 01, 2009 5:51 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] Exchange and Active Directory authentication
> confusion
>
> I am having some confusion about Exchange authentication and Active
> Directory. We have a single forest with six domains that is Windows server
> 2003 R2SP2. The Exchange Server (2003) is in the root domain on a server
> that is not a domain controller. Two of the domains in our forest are remote
> sites connected via a T1 WAN link.
>
> Recently the T1 link to one of our sites went down. As a result no one at
> the remote site could log into the Exchange server. This is understandable
> when the employees are on the site with the dead T1 connection. What
> confuses me is that none of the employees at this site could login to e-mail
> remotely via Outlook Web Access. Now if user accounts are replicated
> forest-wide? Then why could the users at the disconnected remote site not
> log into OWA via another domain controller (which authenticates users for
> the unreacheable remote server) not disconnected due to a out of service T1
> WAN link?
>

RE: [ActiveDir] Exchange and Active Directory authentication confusion

pbbergs — Thu, 02 Jul 2009 21:48:57 GMT

Agree with Brian.

Security boundary is the forest not the domain.

Thanks

Paul

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Thursday, July 02, 2009 3:17 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Said explanation is 100% wrong.

Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Thursday, July 02, 2009 3:13 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

This forest domain design was done before my time by a consultant. It is a very odd design. All of the domains are flat rather than parent child hierarchical. The explanation for this was better security. If anyone compromised one domain it would be more difficult to get access to the other domains. I am somewhat skeptical of this explanation. This is a K-12 environment so there is the possibility of malicious end users.
The next iteration to 2008 server I hope to migrate to the one forest one domain design that seems to be the consensus for better and easier maintenance?

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Thursday, July 02, 2009 5:26 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

Have a domain controller for every domain you want authentication to be available for in the locations you want it available.

Alternately, get collapse the six domains down to one, you likely don't really need six domains.

--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 6:31 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion
Thank you for clearing this up for me. Another hole in my knowledge has been patched! Are there any workarounds for this limitation?

From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of joe
Sent: Wednesday, July 01, 2009 3:03 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Exchange and Active Directory authentication confusion

The security information to authenticate/authorize a user is not replicated forest wide. A user can only be authenticated by a domain controller for the domain they are a member of. So say you have one DC for DomainXYZ and it went down, even though you have 100 DCs for DomainPDQ not a single DomainXYZ user could logon.

--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm

________________________________
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Dave
Sent: Wednesday, July 01, 2009 5:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Exchange and Active Directory authentication confusion
I am having some confusion about Exchange authentication and Active Directory. We have a single forest with six domains that is Windows server 2003 R2SP2. The Exchange Server (2003) is in the root domain on a server that is not a domain controller. Two of the domains in our forest are remote sites connected via a T1 WAN link.
Recently the T1 link to one of our sites went down. As a result no one at the remote site could log into the Exchange server. This is understandable when the employees are on the site with the dead T1 connection. What confuses me is that none of the employees at this site could login to e-mail remotely via Outlook Web Access. Now if user accounts are replicated forest-wide? Then why could the users at the disconnected remote site not log into OWA via another domain controller (which authenticates users for the unreacheable remote server) not disconnected due to a out of service T1 WAN link?